Employing least privilege access by minimizing permissions for end-user account access is an important aspect of building a cybersecurity program.
Admittedly, assigning appropriate access levels and setting up account separation can present a challenge in workload and can be unpopular with your end-users, but this practice is worth the effort.
This article explains why going to the extra effort of least privilege and minimizing permissions is worth the resulting lowered exposure to cyberattacks.
Minimizing Permissions with Least Privilege and Account Separation
Failing to observe the principles of least privilege and account separation is one of the most common and damaging ways that organizations and employees jeopardize their organizational cybersecurity.
The requirement for some users to have multiple accounts increases the burden on the security team for account management. It can also interrupt workflow for users with multiple accounts due to the need to switch accounts as they perform privileged and unprivileged actions.
This decreased efficiency often leads employees and organizations to ignore these principles in favor of productivity. However, failing to properly implement these practices can dramatically increase the probability that an organization will be the victim of a significant cybersecurity incident.
But taking the easier, more "popular" path can endanger the enterprise by putting these more powerful and dangerous accounts at risk of being compromised through common attack vectors.
Related Reading: Got Patch?: Why Patch Management is Important for Cyber Security
What is Least Privilege?
Enabling a particular user account to perform more than its bare minimum duties is a risky decision from a security context. Whether it’s a benign user acting out of ignorance or a threat actor performing a deliberate attack, a user with access to unnecessarily elevated privileges has the potential to cause significant harm to an organization’s computational resources.
The principle of least privilege states that an account should have only the minimum level of access necessary for the user to perform the duties necessary for the account.
For example, a computer user whose job duties only require the ability to use the Internet and productivity tools like Microsoft Office does not require Administrator privileges on their computer. Implementing the least privilege for this account can significantly decrease the probability of a major cybersecurity incident since the potential impact that the user can have on the system is minimized.
What is Account Separation?
The principle of account separation complements the principle of least privilege. It acknowledges that there are circumstances in which a user may require elevated privileges to perform certain job duties and states that a separate account with elevated privileges should be created to perform those duties and only those duties.
For example, a system administrator has a legitimate need for elevated permissions on devices under their care. This employee should have two accounts: one with limited permissions and one with elevated permissions. When performing tasks that do not require elevated permissions (web browsing, email, document editing, etc.), the limited account should be used.
Only in the cases where elevated permissions are required for a task should the more powerful account be used and only for those tasks that require it. This separation insulates (as much as possible) the elevated account from compromise due to threats arising from daily operations.
How Attackers Exploit Excessive Permissions
The vast majority of successful enterprise cyberattacks are based on social engineering. More specifically, spear-phishing attacks, in which the end-user is specifically targeted by the attacker, are some of the most effective ways to compromise enterprise cybersecurity defenses. These phishing attacks exploit users performing a risky activity that requires no elevated permissions: Reading their email.
Related Reading: COVID-19 Phishing Scams to Watch For
If an attacker compromises an unprivileged account on a well-managed system, the amount of damage the hacker can do is limited. If no vulnerabilities allow a privilege escalation attack and the system does not provide the ability to pivot to a more valuable system, the impact of the intrusion may be limited to theft or loss of any data available to that specific account on that system.
If, on the other hand, the attacker compromises a privileged account on the system, the potential for harm is significantly greater. Privileged accounts may allow the attacker to steal credential information for other accounts on the system, potentially allowing them to be used to further the attack.
Elevated privileges allow the attacker to compromise the entire system and possibly spread the attack across the network in a way not possible with a limited account.
Practicing Good Privilege Management
A strong organizational privilege management solution is essential to protecting an organization against significant cyberattacks. By separating accounts with elevated privileges from the most common attack vectors, it is possible to dramatically reduce the impact of a cybersecurity incident.
By developing a strategy to achieve employee buy-in and implementing solutions to minimize the impacts of account separation and least privilege on employee workflows, an organization can dramatically improve its cybersecurity posture.
The least privilege access is only one factor in a rigorous, responsive, and relevant security program.
Learn why much of modern security ops function at a strategic level for threat-based security and how to apply this to your SecOps.